CVE-2026-32013 in OpenClaw
Summary
by MITRE • 03/20/2026
OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability in the agents.files.get and agents.files.set methods that allows reading and writing files outside the agent workspace. Attackers can exploit symlinked allowlisted files to access arbitrary host files within gateway process permissions, potentially enabling code execution through file overwrite attacks.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/25/2026
The vulnerability identified as CVE-2026-32013 affects OpenClaw versions prior to 2026.2.25 and represents a critical symlink traversal flaw within the agent file handling mechanisms. This security weakness resides in the agents.files.get and agents.files.set methods, which fail to properly validate file paths when processing symbolic links. The vulnerability stems from inadequate input sanitization and path resolution logic that allows attackers to manipulate file access through carefully crafted symbolic links.
The technical implementation of this vulnerability enables attackers to bypass intended access controls by creating symbolic links to allowlisted files within the agent workspace. When the vulnerable methods process these symbolic links, they follow the target path without proper validation, effectively allowing unauthorized file operations outside the designated workspace boundaries. This behavior creates a path traversal condition that can be exploited to read sensitive files or write malicious content to arbitrary locations within the host system. The flaw operates at the file system level where symbolic link resolution occurs before proper access control checks are applied.
The operational impact of this vulnerability extends beyond simple unauthorized file access, as it can potentially enable complete system compromise through code execution. Attackers can leverage this weakness to overwrite critical system files, inject malicious code into running processes, or manipulate configuration files that control agent behavior. The gateway process permissions provide a crucial boundary that attackers can circumvent through this symlink traversal, potentially elevating their privileges within the system. This vulnerability directly aligns with CWE-35, which describes path traversal vulnerabilities, and represents a specific implementation flaw in the file access control mechanisms.
The exploitation of this vulnerability requires attackers to first establish symbolic links within the agent workspace that point to sensitive host files or directories. Once established, the agents.files.get and agents.files.set methods will follow these links and perform operations on the target files, effectively bypassing the intended security boundaries. The attack surface is particularly concerning as it operates within the context of the gateway process, which typically has elevated privileges and access to system resources. This vulnerability can be classified under ATT&CK technique T1059, which covers command and scripting interpreter, as attackers may use the compromised agent to execute malicious code through file overwrite operations.
Organizations should immediately implement mitigations including upgrading to OpenClaw version 2026.2.25 or later, which contains proper path validation and symbolic link handling. Additional protective measures include restricting symbolic link creation capabilities within agent workspaces, implementing strict file access controls, and monitoring for suspicious file operations. The mitigation strategy should also include regular security audits of file handling mechanisms and implementation of automated tools to detect and prevent unauthorized symbolic link creation. Network segmentation and process isolation can help limit the potential impact if exploitation occurs, while proper logging and monitoring can detect suspicious access patterns that may indicate exploitation attempts.